SMU researchers discover vulnerabilities in Android 4.4 and 5.1

Nurdianah Md Nur |
July 4, 2016

Google has recognised and rectified those security weaknesses in the newer versions of Android.

The Singapore Management University (SMU) announced that a team from its School of Information Systems (SIS) recently discovered several security weaknesses in Google's Android 4.4 and Android 5.1 systems in their security research projects with Huawei.

The weaknesses were found when SMU SIS' PhD candidate Su Mon Kywe and Associate Professor Li Yingjiu performed vulnerability analysis on the Android framework to discover security loopholes in the Android systems and report them to platform providers in a timely manner.

The vulnerabilities were reported to Google in November 2015, and the tech giant has subsequently fixed them in the newer versions of their Android systems. The team's contribution was also publicly acknowledged in Google's Security Bulletin in March 2016.

According to SMU, the team's research involved several static source-code analysis, such as building callgraphs and analysing data-flow, on Android Open Source Project (AOSP) published by Google.

The source code of AOSP is also used by other platform vendors, such as Samsung and Huawei, with their own customisations.

The result of SMU researchers' analysis revealed that several types of attacks can be launched on mobile users using AOSP versions 4.4 and 5.1.

The researchers found that without requesting for any permission, a malicious third-party application can gain access to the mobile device's identification number, phone service state, SIM card state, Wi-Fi and network information, as well as user setting information, such as airplane, location, Near Field Communication (NFC), Universal Serial Bus (USB) and power modes.

A hacker can also interfere with Bluetooth services, and block incoming emails, calendar events, and Google documents. Moreover, a hacker can alter the volumes of mobile devices and trigger alarm tones and ringtones that users had set for their mobile device.

Professor Pang Hwee Hwa, Dean of SMU School of Information Systems, commented, "We are proud of our researchers' efforts in boosting the security of Google's Android system. By leveraging our expertise and technologies in cybersecurity, the SMU team has been able to create an impact beyond the academic and research communities, to bring about benefits to businesses and individuals."